Resecurity
identified
one
of
the
largest
investment
fraud
networks,
tracked
as
Digital
Smoke,
by
size
and
volume
of
operations.
Resecurity
identified
one
of
the
largest
investment
fraud
networks
by
size
and
volume
of
operations
created
to
defraud
Internet
users
from
Australia,
Canada,
China,
Colombia,
the
European
Union,
India,
Singapore,
Malaysia,
United
Arab
Emirates,
Saudi
Arabia,
Mexico,
the
U.S.
and
other
regions.
The
bad
actors
operating
as
an
organized
crime
syndicate
developed
a
massive
infrastructure
to
impersonate
popular
Fortune
100
corporations
from
the
U.S
and
the
U.K
by
using
their
brands
and
market
reputation
to
defraud
consumers.
Once
payments
are
collected
from
the
victims,
they
make
previously
created
resources
vanish
and
set
up
the
next
new
campaign
–
this
is
why
investigators
named
the
group
“Digital
Smoke”.
According
to
the
latest
report
by
FTC
released
last
week
called
“The
Top
Scams
of
2022”
people
reported
losing
$8.8
billion
to
scams.
The
total
damage
from
investment
fraud
including
ponzi
and
pyramid
schemes
exceeds
$5.8
billion
in
the
U.S
and
over
$77
worldwide
(2022),
with
significant
rapid
growth
at
the
start
of
Q1
2023.
Investment
fraud
does
serious
damage
to
investors
–
beyond
monetary
losses.
A
FINRA
survey
points
to
health,
marital
and
trust
problems
resulting
from
financial
scams.
Businesses
experience
significant
damage
in
customer
loyalty
and
brand
reputation
–
in
the
long
run
negatively
affecting
sales
and
market
profile.
Notably,
the
bad
actors
have
chosen
high-demand
investment
areas
to
impersonate
world-known
brands
including
ABRDN
(UK),
Blackrock
(US),
Baxter
Medical
(US),
EvGo
(US),
Ferrari
(Italy),
ITC
Hotels
(India),
Eaton
Corporation
(US/UK),
Novuna
Business
Finance
(UK),
Tata
(India),
Valesto
Oil
(Malaysia),
Lloyds
Bank
(UK),
and
many
more.
The
majority
of
the
identified
fraudulent
projects
were
related
to
financial
services
(FIs),
oil
&
gas,
renewable
energy,
EV
batteries,
electric
vehicles,
healthcare,
semiconductors,
and
world-recognized
investment
corporations
and
funds
with
a
global
presence.
The
information
about
Digital
Smoke
along
with
the
identities
of
key
actors
has
been
timely
shared
with
the
Indian
Cybercrime
Coordination
Center
and
the
U.S.
Law
Enforcement
in
Q4
of
2022.
As
a
result
of
the
coordinated
action
and
numerous
domain
takedowns,
the
majority
of
scam
projects
have
been
terminated.
Modus
operandi
of
the
group
was
focused
on
investment
options
in
non-existing
products
and
investment
plans
supposedly
offered
by
Fortune
100
corporations
and
state-owned
entities.
The
bad
actors
developed
a
large
network
of
WEB-resources
and
related
mobile
applications
hosted
on
bulletproof
hosting
providers,
and
located
in
jurisdictions
not
easily
reachable
for
immediate
takedowns
–
the
total
number
of
identified
hosts
in
December
2022
alone
exceeded
350+
with
thousands
of
related
domains
used
for
‘cloaking’
(Black
SEO),
hidden
redirects
and
short
URLs
for
protection
of
the
payment
gateway
used
by
fraudsters
to
collect
payments
from
victims
leveraging
AliPay
(China)
and
Unified
Payments
Interface
(UPI)
–
an
instant
real-time
payment
system
developed
by
National
Payments
Corporation
of
India,
along
with
cryptocurrencies.
Notably,
a
combination
of
these
methods
enabled
fraudsters
to
process
funds
with
great
flexibility
–
supporting
Google
Pay
(GPay),
PhonePe,
Paytm,
and
major
online-banking
platforms.
The
bad
actors
registered
multiple
fake
domain
names
which
had
similar
brand
spelling
then
promoted
them
via
social
media
and
instant
messenger
apps
to
attract
investors.
Notably,
the
links
planted
by
bad
actors
to
register
new
victims
contained
a
referral
code
tied
to
affiliates
promoting
the
scam
via
Youtube
and
WhatsApp
IM.
Once
the
victim
registers,
the
bad
actors
ask
them
to
make
a
deposit
by
sending
payment
to
an
account
registered
in
India.
Notably,
the
cybercriminals
from
Digital
Smoke
were
focused
on
oil
markets
and
renewable
energy
products.
The
impersonated
Velesto
Oil,
a
Malaysia-based
multinational
provider
of
drilling
for
the
upstream
sector
of
the
oil
and
gas
industry,
along
with
major
oil
corporations
including
Shell,
Glencore,
Ovintiv
and
Lukoil.
One
of
the
latest
brands
abused
in
January
2023
was
identified
as
ACWA
Power
based
in
the
Kingdom
of
Saudi
Arabia.
This
aspect
makes
the
campaign
unique
due
to
a
strong
focus
on
oil
traders
which
typically
is
not
widely
used
by
investment
scammers.
In
some
of
the
observed
scams,
the
bad
actors
offered
victims
the
opportunity
to
invest
in
new
oil
fields,
construction
of
petroleum
stations,
and
technologies
related
to
the
renewable
energy
sector.
It’s
worth
noting,
some
of
the
languages
for
this
pretext
was
copied
from
existing
investment
programs,
typically
for
entrepreneurs
and
franchises
looking
for
new
business
opportunities
in
the
oil
and
gas
sector.
This
activity
is
not
typical
for
cybercriminals
and
may
clearly
outline
the
differentiator
of
the
Digital
Smoke
group.
The
activity
spike
was
registered
during
the
Christmas
and
New
Year’s
period
when
online
activity
skyrocketed,
and
when
both
Internet
users
and
financial
institutions
get
overwhelmed
with
logistics
and
payments.
In
Q1,
2023
–
the
activity
continued
to
involve
new
impersonated
brands
from
other
fields
including
semiconductors
and
EV
batteries.
Besides
enterprises,
the
fraudsters
had
no
fear
when
it
came
to
targeting
state-owned
organizations
and
used
their
profiles
to
defraud
users.
One
of
the
organizations
impersonated
by
the
Digital
Smoke
fraudsters
was
the
India
Brand
Equity
Foundation,
a
Trust
established
by
the
Government
of
India
–
Department
of
Commerce,
Ministry
of
Commerce
and
Industry.
Following
a
similar
pattern,
the
bad
actors
created
multiple
scams
which
impersonated
government
resources
in
the
United
Arab
Emirates
by
copying
the
profile
of
the
Minister
of
State
for
Foreign
Trade.
The
Digital
Smoke
case
is
somewhat
remarkable
and
may
confirm
how
investment
scams
have
now
become
more
sophisticated
than
before.
Fraudsters
are
investing
large
amounts
of
time
and
effort
to
prepare
high-quality
resources
which
look
almost
identical
to
their
well-known
investment
product
counterparts
–
in
the
case
of
Digital
Smoke,
for
each
investment
scam
they
ran,
they
also
created
a
separate
mobile
app
with
a
unique
design.
Digital
Smoke
has
clearly
demonstrated
how
bad
actors
leverage
cross-border
payments
and
various
jurisdictions
to
complicate
further
investigation
and
identification
of
their
victims.
Investment
fraudsters
leverage
this
weakness
to
blur
the
origin
of
the
activity
as
well
as
distribute
payment
flows
by
multiple
merchants
and
money
mules
located
in
different
countries.
Resecurity
identified
a
large
network
of
money
mules
leveraging
accounts
in
multiple
financial
institutions
based
in
India
that
process
the
payments
from
victims.
The
accounts
involved
in
fraudulent
activity
have
been
reported
to
law
enforcement.
“Proactive
fraud
intelligence
gathering
enables
to
protect
consumers
and
keep
financial
institutions
aware
about
merchants
used
by
cybercriminals.
Their
timely
identification
along
with
tracking
of
involved
money
mules
helps
to
minimize
potential
damage
caused
by
illicit
activity.”
–
said
Christian
Lees,
Chief
Technology
Officer
(CTO)
at
Resecurity,
Inc.
Notably,
legitimate
businesses
that
were
impersonated
suffer
serious
damages,
both
reputationally
and
from
a
customer
loyalty
perspective
–
that’s
why
an
effective
and
ongoing
brand
protection
system
is
one
of
the
must-have
solutions
to
minimize
the
negative
side
effects
of
such
scams.
Business
leaders
should
consider
monitoring
the
exposure
of
their
brands
online,
including
but
not
limited
to
social
media,
mobile
marketplaces,
and
instant
messaging
services.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
Digital
Smoke)
Share
On
About Author
